Login failure sequence for detecting phishing

ABSTRACT

A login page of an online service is received in a user computer. False credentials, such as a false user identifier (ID) and a false password, are entered into the login page to login to the online service. The login page is classified as phishing when the online service does not serve a legitimate login-fail page in response to the entry of the false credentials in the login page.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to computer security, and moreparticularly but not exclusively to methods and systems for detectingphishing.

2. Description of the Background Art

Various online services are available over the Internet. Examples ofthese online services include online banking, data storage, webmail,social networks, etc. Generally speaking, an online service may beaccessed with appropriate credentials, such as a user identifier (e.g.,username, email address, mobile phone number) and a password. An enduser may obtain credentials upon creation of an online account with theonline service. The online service may maintain a website that serves awebpage for entering credentials, which is referred to as a “loginpage.”

The convenience provided by online services not only attracts legitimateend users but fraudsters as well. Fraudsters may gain access to anonline account of a victim using a variety of techniques including byphishing. Phishing is a cyber attack that involves some form ofmisrepresentation. A fraudster may operate a malicious website or hijacka legitimate website to serve a phishing login page, which is a webpagethat mimics the look and feel of a legitimate login page for the purposeof stealing the victim's credentials. The fraudster may direct thevictim to the phishing login page by spam email, man-in-the-middleattack, etc. The phishing login page is made to look convincingly realto trick the victim into entering his credentials.

To combat phishing, the characteristics of phishing login pages (e.g.,uniform resource locator (URL)) may be compiled in a blacklist. Theblacklist may be consulted to determine if a particular login page isphishing, i.e., perpetrating or part of a phishing attack. However,because of the number of phishing login pages continually increase, itis relatively difficult to create and maintain such a blacklist.

SUMMARY

In one embodiment, a login page of an online service is received in auser computer. False credentials, such as a false user identifier (ID)and a false password, are entered into the login page to login to theonline service. The login page is classified as phishing when the onlineservice does not serve a legitimate login-fail page in response to theentry of the false credentials in the login page.

These and other features of the present invention will be readilyapparent to persons of ordinary skill in the art upon reading theentirety of this disclosure, which includes the accompanying drawingsand claims.

DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a schematic diagram of a computer system in accordance withan embodiment of the present invention.

FIG. 2 shows a flow diagram of a system for detecting phishing inaccordance with an embodiment of the present invention.

FIG. 3 shows a logical diagram that illustrates sequentially servedwebpages.

FIGS. 4 and 5 show webpages of an example online service provider.

FIGS. 6 and 7 show an example phishing login page and an examplephishing login-fail page, respectively.

FIG. 8 shows a flow diagram of a method of detecting phishing inaccordance with an embodiment of the present invention.

The use of the same reference label in different drawings indicates thesame or like components.

DETAILED DESCRIPTION

In the present disclosure, numerous specific details are provided, suchas examples of systems, components, and methods, to provide a thoroughunderstanding of embodiments of the invention. Persons of ordinary skillin the art will recognize, however, that the invention can be practicedwithout one or more of the specific details. In other instances,well-known details are not shown or described to avoid obscuring aspectsof the invention.

Referring now to FIG. 1, there is shown a schematic diagram of acomputer system 100 in accordance with an embodiment of the presentinvention. The computer system 100 may be employed as a user computer, abackend system, and other computers described below. The computer system100 may have fewer or more components to meet the needs of a particularapplication. The computer system 100 may include one or more processors101. The computer system 100 may have one or more buses 103 coupling itsvarious components. The computer system 100 may include one or more userinput devices 102 (e.g., keyboard, mouse), one or more data storagedevices 106 (e.g., hard drive, optical disk, Universal Serial Busmemory), a display monitor 104 (e.g., liquid crystal display, flat panelmonitor), a computer network interface 105 (e.g., network adapter,modem), and a main memory 108 (e.g., random access memory). The computernetwork interface 105 may be coupled to a computer network 109, which inthis example includes the Internet.

The computer system 100 is a particular machine as programmed with oneor more software modules, comprising instructions stored non-transitoryin the main memory 108 for execution by the processor 101. An article ofmanufacture may be embodied as computer-readable storage mediumincluding instructions that when executed by the processor 101 of thecomputer system 100 causes the computer system 100 to be operable toperform the functions of the one or more software modules. In theexample of FIG. 1, the computer system 100 includes an anti-phishingmodule 110 for detecting phishing and similar cyber attacks. Theanti-phishing module 110 may comprise a phishing detector when thecomputer system 100 is employed as a backend system. The anti-phishingmodule 110 may comprise an anti-phishing agent when the computer system100 is employed as a user computer.

FIG. 2 shows a flow diagram of a system for detecting phishing inaccordance with an embodiment of the present invention. In the exampleof FIG. 2, the phishing detection system includes a one or more usercomputers 252 and one or more backend systems 260. In one embodiment, auser computer 252 may be any suitable computer that is employed by auser to navigate to a website. A backend system 260 may comprise one ormore computers for detecting phishing. A user computer 252 and a backendsystem 260 may communicate over the Internet.

An online service system 250 may comprise one more computers that host awebsite for providing a plurality of online services. A user may have anonline account with the website to access one or more of the onlineservices. The user may use the same set of credentials to access severalonline services. To access an online service, the user may employ a webbrowser 261 to communicate with the online service system 250. In theexample of FIG. 2, the online service system 250 hosts and serves aplurality of webpages, such as a login page 283, a login-fail page 282,and other webpages 281.

The online service system 250 may initially serve the login page 283 tothe user computer 252 to allow the user to login and be authenticated.Upon receiving credentials on the login page 283, the online servicesystem 250 may serve other webpages to the user computer 252 dependingon a variety of factors, including whether or not the credentials arevalid, the particular online service being accessed, etc.

More particularly, as shown in FIG. 3, the online service system 250 mayserve the login page 283 when the user logs in to access an onlineservice and thereafter serve the login-fail page 282 when the login isnot successful, a webpage 281-1 when the login is successful for a firstonline service, a webpage 281-2 when the login is successful for asecond online service, a webpage 281-3 when the login is successful fora third online service, etc. This is because some online service systemsare session-based to provide multiple online services and entry points.For example, when a user does not login or the session is expired, anonline service system may redirect the user to a login page, andredirect back to the previous webpage upon a successful login. In thatcase, the webpage 281 served by the online service system 250 followinga successful login may depend on the webpage or session from which thelogin page 283 was reached. This is further illustrated in FIG. 4involving the online services provided by GOOGLE Inc.

In the example of FIG. 4, a login page 383 may be reached from differentwebpages 320 of various online services provided by GOOGLE Inc., such asGOOGLE+ social network, GMAIL email, YOUTUBE video sharing site, GOOGLEMAPS map service. A webpage 320 is also referred to as a “before loginpage” because it is the webpage that is served right before the loginpage. A user may be redirected from a webpage 320 to the login page 383.Upon a successful login, i.e., valid credentials were entered into thelogin page 383, one of different webpages 321 may be served depending onthe online service being accessed. A webpage 321 is also referred to asan “after login page” because it is the webpage served right after thelogin page 383. A webpage 321 is also referred to as a “login-success”page because it is served in response to a successful login. Incontrast, a login-fail page is a webpage served in response to a failedlogin, i.e., invalid credentials were entered into the login page.

Observations made by the inventors on general Internet network trafficindicate that the sequences of webpages served in successful logins,such as a sequence of before login page, login page, and after loginpage, are too numerous and are frequently changing. In contrast, thesequences of webpages served in failed logins are much smaller. Forexample, as illustrated in the example of FIG. 5 involving the onlineservices provided by GOOGLE Inc., the number of after login pages ismuch more limited in the case of a failed login. More particularly, inthe example of FIG. 5, a user may start from one of a plurality ofwebpages 320 to land on the login page 383, but will receive one (or amuch smaller number of) login-fail page 382 upon a failed login.

Referring back to FIG. 2, in an example operation, the user computer 252employed by the user may receive a login page 283 from the onlineservice system 250 (arrow 201). The login page 283 is displayed on awindow of the web browser 261. In one embodiment, the anti-phishingagent 262 is configured to detect when the user computer 252 requestsand/or receives a login page. For example, the anti-phishing agent 262may identify reception of or request for a login page by consulting alocal or remote database that includes characteristics (e.g., entryfields for user ID and password) indicative of login pages. In responseto detecting that the user computer 252 is requesting for or hasreceived the login page 283, the anti-phishing agent 262 so notifies thebackend system 260 (arrow 202). In one embodiment, the notificationincludes the URL or other network location identifier of the login page283 to allow the backend system 260 to receive and analyze the loginpage 283 and to evaluate the behavior of the online service system 250.

In one embodiment, the backend system 260 includes a phishing detector271 and a login-fail page database 272. In one embodiment, thelogin-fail page database 272 includes indicators (e.g., URL, hash, etc.)of legitimate login-fail pages, i.e., webpages served by legitimateonline services in response to a failed login. As can be appreciated,because the number of sequences of webpages served in failed logins ismuch smaller than the number of sequences of webpages served insuccessful logins, the creation, maintenance, and processing of thelogin-fail page database 272 are relatively manageable, making thelogin-fail page database 272 practical for use in productionenvironments where webpages are continually evaluated for phishing. Thephishing detector 271 may be configured to consult the login-fail pagedatabase 272 to determine if a particular login page is legitimate.

In the example of FIG. 2, in response to the notification from theanti-phishing agent 262, the phishing detector 271 communicates with theonline service system 250 to receive the login page 283 and enter falsecredentials (e.g., randomly generated user identification (ID) andpassword) in the login page 283 (arrow 203). The phishing detector 271may deem the login page 283 to be a phishing page based on whether ornot the online service system 250 accepts the false credentials as validand whether or not the online service system 250 serves a legitimatelogin-fail page 282 in response to the entry of the false credentials inthe login page 283.

In the example of FIG. 2, the online service system 250 hosts alegitimate website and accordingly recognizes that the false credentialsare not valid. Consequently, in response, the online service system 250serves the login-fail page 282, which is a legitimate login-fail pagethat is indicated as such in the login-fail page database 272. Thephishing detector 271 receives the login-fail page 282, and recognizesthat the sequence of consecutively served webpages consisting of thelogin page 283 followed by the login-fail page 282 indicates that theonline service system 250 does not appear to be hosting a phishingwebsite. The phishing detector 271 consults the login-fail page database272 for confirmation, and finds that the login-fail page 282 has thecharacteristics of an authentic login-fail page of a legitimate websitethat is known to serve the login-fail page 282 after the login page 283in response to a failed login. Accordingly, the phishing detector 271classifies the login page 283, and the website hosted by the onlineservice system 250, as legitimate.

Legitimate websites and phishing sites abound on the Internet. In theexample of FIG. 2, a phishing site 251 is a website for perpetrating aphishing attack. To that end, the phishing site 251 maintains aplurality of phishing pages 284 for stealing confidential informationfrom unsuspecting users. The phishing pages 284 may comprise phishinglogin pages, phishing login-fail pages, phishing login-success pages,and other phishing pages.

The user computer 252 may request for or receive a phishing login pagefrom the phishing site 251 (arrow 204). The user computer 252 may beredirected to receive and display the phishing login page on the webbrowser 261 when the user unknowingly clicks on a link of a phishingemail, inadvertently navigates to the phishing site 251, etc. Theanti-phishing agent 262 recognizes the phishing page as a login page,e.g., because of user ID and password entry fields in the phishing page,and, in response, so notifies the backend system 260 (arrow 205). Thenotification includes the URL or other network location identifier ofthe phishing page.

In the example of FIG. 2, in response to the notification from theanti-phishing agent 262, the phishing detector 271 communicates with thephishing site 251 to receive the phishing login page and enter falsecredentials in the phishing page (arrow 206). The phishing site 251 hasno information on whether or not credentials entered in the phishingpage are valid. Accordingly, the phishing site 251 (and in general, mostphishing sites) simply accepts the false credentials as valid and servesa login-success page indicating a successful login. FIG. 6 shows anexample phishing login page that mimics the login page of the PAYPALonline payment service. FIG. 7 shows a phishing login-success page thatis served even when false credentials are entered into the phishinglogin page of FIG. 6.

In the example of FIG. 2, the phishing detector 271 recognizes that theafter login page is a login-success page, e.g., by scanning the afterlogin page for keywords or other characteristics indicative of asuccessful login. In response to receiving the login-success pagedespite the false credentials, the phishing detector 271 classifies thephishing page as a phishing page.

It is possible that the phishing site 251 may return a phishinglogin-fail page in response to the false credentials, such as when thephishing site 251 is configured to automatically reject an initial loginattempt to avoid detection. Accordingly, the phishing detector 271 isconfigured to evaluate the phishing login-fail page by consulting thelogin-fail page database 272. Because the phishing login-fail page isnot legitimate, the phishing login-fail page does not have acorresponding entry in the login-fail page database 272. Accordingly,the phishing detector 271 classifies the phishing login page andphishing login-fail page (and by extension the phishing site 251) asphishing pages. In response, the backend system 260 may so inform theanti-phishing agent 262 (arrow 207). The anti-phishing agent 262 mayrespond to the information that the phishing login page is a phishingpage by displaying a corresponding message, blocking the user fromentering credentials into the phishing login page, blocking reception ofother webpages from the phishing site 251, etc.

In light of the foregoing, it can be appreciated that all or some of thefunctionality of the phishing detector 271 may be implemented by theanti-phishing agent 262 on the user computer 252. For example, inresponse to detecting that the user computer 252 is requesting for orreceiving a login page, the anti-phishing agent 262 may prevent the userfrom interacting with the login page, enter false credentials into thelogin page, and evaluate the login page for phishing based on whether ornot the website serving the login page accepts the false credentials asvalid and whether or not the website serves a legitimate login-fail pagein response to the entry of the false credentials in the login page aspreviously explained with reference to the phishing detector 271. Theanti-phishing agent 262 may allow the user to enter his credentials intothe login page if the login page is classified as legitimate, or preventthe user from interacting with the login page if the login page isclassified as a phishing page. In that embodiment, the anti-phishingagent 262 may consult a local or remote login-fail page database toidentify legitimate login-fail pages.

FIG. 8 shows a flow diagram of a method of detecting phishing inaccordance with an embodiment of the present invention. The method ofFIG. 8 may be performed by the backend system 260 and/or the usercomputer 252 by running the anti-phishing agent 262 and/or the phishingdetector 271 in conjunction with a login-fail page database 272. Othercomponents may also be employed without detracting from the merits ofthe present invention.

In the example of FIG. 8, a login page is detected on a user computer(step 401). The login page may be detected upon request by the usercomputer to receive the login page or when the login page is rendered ona web browser running on the user computer. One or more falsecredentials are entered into the login page as per corresponding entryfields in the login page (step 402). For example, a false user ID and/ora false password may be entered into the login page. The credentials arefalse in that they do not correspond to an actual online account. In oneembodiment, the false credentials are randomly generated.

In one embodiment, the method of FIG. 8 may be performed in transparentmode where the false credentials are entered by a backend system or inovert mode where the false credentials are entered by the user computer.In the example of FIG. 8, in transparent mode, the user computerprovides the backend system the URL or other network location identifierof the login page (step 431). The backend system follows the URL tonavigate to the login page (step 432) and enters the false credentialsinto the login page received in the backend system. In the example ofFIG. 8, in overt mode, the user computer prevents the user from loggingin (step 441) and enters the false credentials in the login page (step442).

In the example of FIG. 8, the login page received in the user computeris classified as a phishing page depending on whether or not alogin-fail page is served to the user computer in response to the entryof false information in the login page (step 403). If the webpagereceived in the user computer is not a login-fail page (e.g., alogin-success page is received instead), the login page and the websitethat served the login page are classified as phishing, i.e.,perpetrating a phishing attack (step 403 to step 404). On the otherhand, if the webpage received in the user computer is a login-fail page,the login-fail page is evaluated to determine whether or not it islegitimate (step 403 to step 405). If the login-fail page is notlegitimate, e.g., by consulting a database of known legitimatelogin-fail pages, the login page and the website that served the loginpage are classified as phishing (step 405 to step 404). Otherwise, thelogin-fail page is classified as legitimate (step 405 to step 406).

Methods and systems for detecting phishing have been disclosed. Whilespecific embodiments of the present invention have been provided, it isto be understood that these embodiments are for illustration purposesand not limiting. Many additional embodiments will be apparent topersons of ordinary skill in the art reading this disclosure.

What is claimed is:
 1. A computer-implemented method comprising:detecting, in a user computer, a login page of an online service;sending a notification from the user computer to a backend system thatthe login page has been detected in the user computer; receiving, by thebackend system, the login page in the backend system using a networklocation identifier of the login page included in the notification;entering, by the backend system, a false credential in the login pagereceived in the backend system to login to the online service; receivinga login-fail page in the backend system, the login-fail page indicatingthat the login to the online service using the false credential hasfailed; determining, by the backend system, that the login-fail page isnot a legitimate login-fail page by comparing the login-fail page to adatabase of legitimate login-fail pages; and in response to determiningthat the login-fail page is not legitimate, preventing credentials frombeing entered into the login page.
 2. The computer-implemented method ofclaim 1, further comprising: informing the user computer that the loginpage received in the user computer is a phishing page in response todetermining that the login-fail page is not legitimate.
 3. Thecomputer-implemented method of claim 1, wherein the false credentialcomprises a false user identifier (ID).
 4. The computer-implementedmethod of claim 1, wherein the false credential comprises a falsepassword.
 5. The computer-implemented method of claim 1, wherein thefalse credential is randomly generated.
 6. The computer-implementedmethod of claim 1, wherein the network location identifier of the loginpage included in the notification is a uniform resource locator (URL).7. A system comprising: a user computer that is configured to receive alogin page of an online service and prevent a credential from beingentered into the login page when the login page is classified as aphishing page; and a backend system that is configured to receive fromthe user computer a notification regarding the login page, receive thelogin page in the backend system in response to receiving thenotification, to login to the online service by entering a falsecredential in the login page received in the backend system, receive alogin-fail page that indicates that the login to the online service hasfailed, evaluate whether or not the login-fail page is legitimate todetermine if the login page received in the user computer is a phishingpage, and classify the login page as a phishing page when the login-failpage is detected as not legitimate by comparing the login-fail page to adatabase of legitimate login-fail pages.
 8. The system of claim 7,wherein the user computer and the backend system communicate over theInternet.
 9. The system of claim 7, wherein the false credential is afalse user identifier (ID).
 10. The system of claim 7, wherein the falsecredential is a false password.
 11. The system of claim 7, wherein thefalse credential is randomly generated.